The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Policy based networks allow for detailed control of network access and traffic flow by enabling network administrators to define policies that network devices use for decision making. Policy decisions may be made in multiple places in a network and enforced by more than one network entity. Furthermore, policy decisions may be enforced at different layers of the stack. Traffic is often subjected simultaneously to multiple policies, of multiple policy domains that are independent and unaware of each other, and enforced at multiple points in the network.
The units principally responsible for data processing in policy based networks are Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs). A PEP is a logical entity that decides how to respond to a request for network resources. For example, a PEP on a data packet router may control user access to other network resources, such as a particular file server. A PDP is a logical entity that reports policy decisions to PEPs. Each PDP is often tied to a particular type of decision. For example, one PDP may make flow control decisions for a particular router interface while another PDP may make authentication decisions. Decisions made by PDPs are reported to the requesting PEP, where a final decision will be made for a particular network request. A PDP may be implemented using a general-purpose computer or using a special-purpose computer such as a network infrastructure element.
A PEP may request information from more than one PDP for a given network request in order to make a decision, and a PDP may report to more than one PEP.